View Issue Details

IDProjectCategoryView StatusLast Update
0004752OXID eShop (all versions)4.04. Securitypublic2012-11-27 16:59
Reportertjungcl 
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version4.6.5 revision 49955 
Target VersionFixed in Version4.6.6 revision 54646 
Summary0004752: double opt-in link reusable
Descriptionregarding https://bugs.oxid-esales.com/view.php?id=4463

The case is closed, because after the fix, you send a new confirmation email to the new email adress.

The link from the first double-opt-in email is reusable for any emailadress, though:

the uid=... param is the oxid of the user and independend of the emailadress.

So, you can double-opt-in with your own emailadress.
Then change the email-adress in the account settings, and click the link from the first double-opt-in email again.

if you would use as uid-param a hashcoded string from userid + emailadress, the link would be (re)usable only for this one combination.
TagsNo tags attached.
ThemeBoth
BrowserAll
PHP Versionany
MySQL Versionany

Relationships

duplicate of 0004753 resolvedaurimas.gladutis double opt-in can be fooled completly 

Activities

aurimas.gladutis

2012-11-27 16:59

reporter   ~0008001

Hi, thank you for your collaboration. We have added confirm key in newsletters confirmation. This should stop users from fooling newsletters activation.